NotificationsYou must be signed in to change notification settings
Fork327
Star1.7k

Commit88821f2

authored

feat(package): remove MD5 hashing entirely (#1262)

1 parentce5fe53 commit88821f2Copy full SHA for 88821f2

File tree

3 files changed

-42

lines changed

3 files changed

-42

lines changed

`‎changelog/1262.removal.rst‎`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,7 @@`
	`1`	`+Remove support for MD5 digests during uploads.`
	`2`	`+`
	`3`	`+This support was entirely vestigial, as MD5 is not a secure hash function`
	`4`	`+and is not actually required on upload by PyPI.`
	`5`	`+`
	`6`	`+Indices that cross-reference the uploaded content with a digest should`
	`7`	`+use the provided SHA-256 and/or BLAKE2 digests instead.`

`‎tests/test_package.py‎`

Lines changed: 1 addition & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -294,7 +294,6 @@ def test_metadata_dictionary_values(gpg_signature, attestation):`
`294`	`294`
`295`	`295`
`296`	`296`	`TWINE_1_5_0_WHEEL_HEXDIGEST=package_file.Hexdigest(`
`297`		`-"1919f967e990bee7413e2a4bc35fd5d1",`
`298`	`297`	`"d86b0f33f0c7df49e888b11c43b417da5520cbdbce9f20618b1494b600061e67",`
`299`	`298`	`"b657a4148d05bd0098c1d6d8cc4e14e766dbe93c3a5ab6723b969da27a87bac0",`
`300`	`299`	`)`
`@@ -308,18 +307,6 @@ def test_hash_manager():`
`308`	`307`	`asserthasher.hexdigest()==TWINE_1_5_0_WHEEL_HEXDIGEST`
`309`	`308`
`310`	`309`
`311`		`-deftest_fips_hash_manager_md5(monkeypatch):`
`312`		`-"""Generate hexdigest without MD5 when hashlib is using FIPS mode."""`
`313`		`-replaced_md5=pretend.raiser(ValueError("fipsmode"))`
`314`		`-monkeypatch.setattr(package_file.hashlib,"md5",replaced_md5)`
`315`		`-`
`316`		`-filename="tests/fixtures/twine-1.5.0-py2.py3-none-any.whl"`
`317`		`-hasher=package_file.HashManager(filename)`
`318`		`-hasher.hash()`
`319`		`-hashes=TWINE_1_5_0_WHEEL_HEXDIGEST._replace(md5=None)`
`320`		`-asserthasher.hexdigest()==hashes`
`321`		`-`
`322`		`-`
`323`	`310`	`@pytest.mark.parametrize("exception_class", [TypeError,ValueError])`
`324`	`311`	`deftest_fips_hash_manager_blake2(exception_class,monkeypatch):`
`325`	`312`	`"""Generate hexdigest without BLAKE2 when hashlib is using FIPS mode."""`
`@@ -333,21 +320,18 @@ def test_fips_hash_manager_blake2(exception_class, monkeypatch):`
`333`	`320`	`asserthasher.hexdigest()==hashes`
`334`	`321`
`335`	`322`
`336`		`-deftest_fips_metadata_excludes_md5_and_blake2(monkeypatch):`
	`323`	`+deftest_fips_metadata_excludes_blake2(monkeypatch):`
`337`	`324`	`"""Generate a valid metadata dictionary for Nexus when FIPS is enabled.`
`338`	`325`
`339`	`326`	`See also: https://github.com/pypa/twine/issues/775`
`340`	`327`	`"""`
`341`	`328`	`replaced_blake2b=pretend.raiser(ValueError("fipsmode"))`
`342`		`-replaced_md5=pretend.raiser(ValueError("fipsmode"))`
`343`		`-monkeypatch.setattr(package_file.hashlib,"md5",replaced_md5)`
`344`	`329`	`monkeypatch.setattr(package_file.hashlib,"blake2b",replaced_blake2b)`
`345`	`330`
`346`	`331`	`filename="tests/fixtures/twine-1.5.0-py2.py3-none-any.whl"`
`347`	`332`	`pf=package_file.PackageFile.from_filename(filename,None)`
`348`	`333`
`349`	`334`	`mddict=pf.metadata_dictionary()`
`350`		`-assert"md5_digest"notinmddict`
`351`	`335`	`assert"blake2_256_digest"notinmddict`
`352`	`336`
`353`	`337`

`‎twine/package.py‎`

Lines changed: 1 addition & 25 deletions

Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,6 @@ class PackageMetadata(TypedDict, total=False):`
`157`	`157`	`filetype:str`
`158`	`158`	`gpg_signature:Tuple[str,bytes]`
`159`	`159`	`attestations:str`
`160`		`-md5_digest:str`
`161`	`160`	`sha256_digest:str`
`162`	`161`	`blake2_256_digest:str`
`163`	`162`
`@@ -188,7 +187,6 @@ def __init__(`
`188`	`187`	`hasher.hash()`
`189`	`188`	`hexdigest=hasher.hexdigest()`
`190`	`189`
`191`		`-self.md5_digest=hexdigest.md5`
`192`	`190`	`self.sha2_digest=hexdigest.sha2`
`193`	`191`	`self.blake2_256_digest=hexdigest.blake2`
`194`	`192`
`@@ -274,7 +272,7 @@ def metadata_dictionary(self) -> PackageMetadata:`
`274`	`272`
`275`	`273`	`# Additional meta-data: some of these fileds may not be set. Some`
`276`	`274`	`# package repositories do not allow null values, so this only sends`
`277`		`-# non-null values. In particular, FIPS disablesMD5 andBlake2, making`
	`275`	`+# non-null values. In particular, FIPS disables Blake2, making`
`278`	`276`	`# the digest values null. See https://github.com/pypa/twine/issues/775`
`279`	`277`
`280`	`278`	`ifself.commentisnotNone:`
`@@ -289,9 +287,6 @@ def metadata_dictionary(self) -> PackageMetadata:`
`289`	`287`	`ifself.attestationsisnotNone:`
`290`	`288`	`data["attestations"]=json.dumps(self.attestations)`
`291`	`289`
`292`		`-ifself.md5_digest:`
`293`		`-data["md5_digest"]=self.md5_digest`
`294`		`-`
`295`	`290`	`ifself.blake2_256_digest:`
`296`	`291`	`data["blake2_256_digest"]=self.blake2_256_digest`
`297`	`292`
`@@ -352,7 +347,6 @@ def run_gpg(cls, gpg_args: Tuple[str, ...]) -> None:`
`352`	`347`
`353`	`348`
`354`	`349`	`classHexdigest(NamedTuple):`
`355`		`-md5:Optional[str]`
`356`	`350`	`sha2:Optional[str]`
`357`	`351`	`blake2:Optional[str]`
`358`	`352`
`@@ -367,13 +361,6 @@ def __init__(self, filename: str) -> None:`
`367`	`361`	`"""Initialize our manager and hasher objects."""`
`368`	`362`	`self.filename=filename`
`369`	`363`
`370`		`-self._md5_hasher=None`
`371`		`-try:`
`372`		`-self._md5_hasher=hashlib.md5()`
`373`		`-exceptValueError:`
`374`		`-# FIPs mode disables MD5`
`375`		`-pass`
`376`		`-`
`377`	`364`	`self._sha2_hasher=hashlib.sha256()`
`378`	`365`
`379`	`366`	`self._blake_hasher=None`
`@@ -383,15 +370,6 @@ def __init__(self, filename: str) -> None:`
`383`	`370`	`# FIPS mode disables blake2`
`384`	`371`	`pass`
`385`	`372`
`386`		`-def_md5_update(self,content:bytes)->None:`
`387`		`-ifself._md5_hasherisnotNone:`
`388`		`-self._md5_hasher.update(content)`
`389`		`-`
`390`		`-def_md5_hexdigest(self)->Optional[str]:`
`391`		`-ifself._md5_hasherisnotNone:`
`392`		`-returnself._md5_hasher.hexdigest()`
`393`		`-returnNone`
`394`		`-`
`395`	`373`	`def_sha2_update(self,content:bytes)->None:`
`396`	`374`	`ifself._sha2_hasherisnotNone:`
`397`	`375`	`self._sha2_hasher.update(content)`
`@@ -414,14 +392,12 @@ def hash(self) -> None:`
`414`	`392`	`"""Hash the file contents."""`
`415`	`393`	`withopen(self.filename,"rb")asfp:`
`416`	`394`	`forcontentiniter(lambda:fp.read(io.DEFAULT_BUFFER_SIZE),b""):`
`417`		`-self._md5_update(content)`
`418`	`395`	`self._sha2_update(content)`
`419`	`396`	`self._blake_update(content)`
`420`	`397`
`421`	`398`	`defhexdigest(self)->Hexdigest:`
`422`	`399`	`"""Return the hexdigest for the file."""`
`423`	`400`	`returnHexdigest(`
`424`		`-self._md5_hexdigest(),`
`425`	`401`	`self._sha2_hexdigest(),`
`426`	`402`	`self._blake_hexdigest(),`
`427`	`403`	`)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit88821f2

File tree

3 files changed

3 files changed

`‎changelog/1262.removal.rst‎`

`‎tests/test_package.py‎`

`‎twine/package.py‎`

0 commit comments